Authentication between netflix-zuul and microservice with certificates

Question

I have configured in my application netflix-zuul to call other services and it is necessary to include in the application a certificate.

I am trying to do the same as in this question (using netflix-zuul with a certificate) but I am having problems..

For example, in this link it indicates that a .keystore is used but the files that I have are a .cer and a .key and I don't see how to apply a certificate with the files that I have.

Could you help me to connect the certificate I have with the netflix-zuul proxy of my application?

Thank you very much to all!

EDIT -> I have tried the solution of this link, my code:

@Bean
    public CloseableHttpClient httpClient() throws Throwable {

    InputStream is = new FileInputStream(KEYSTOREPATH);
    //KEYSTOREPATH =    String KEYSTOREPATH = "E:/ARC/myapp/src/main/java/com/myapp/services/myapp/myapp.cer";

    // You could get a resource as a stream instead.

    CertificateFactory cf = CertificateFactory.getInstance("X.509");
    X509Certificate caCert = (X509Certificate)cf.generateCertificate(is);

    TrustManagerFactory tmf = TrustManagerFactory
        .getInstance(TrustManagerFactory.getDefaultAlgorithm());
    KeyStore ks = KeyStore.getInstance(KeyStore.getDefaultType());
    ks.load(null); // You don't need the KeyStore instance to come from a file.
    ks.setCertificateEntry("caCert", caCert);

    tmf.init(ks);

    SSLContext sslContext = SSLContext.getInstance("TLS");
    sslContext.init(null, tmf.getTrustManagers(), null);

  return HttpClients.custom().setSSLContext(sslContext).build();

}

And when executing the path configured in netflix-zuul I get this error:

Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:387)
    at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292)
    at sun.security.validator.Validator.validate(Validator.java:260)
    at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324)
    at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229)
    at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124)
    at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1460)
    ... 105 common frames omitted
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:145)
    at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:131)
    at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280)
    at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:382)
    ... 111 common frames omitted

score 0 · Answer 1 · answered Nov 25 '19 at 16:28

0

You can try building the SSLContext and trust the certificate from the .cer file as mentioned/described here : Using SSLContext with just a CA certificate and no keystore

answered Nov 25 '19 at 16:28

Mohit Singh

496
2
11

Thank you very much Mohit for answering, I have tried what they put in the link you told me, and when you start the application and call a netflix-zuul service, I get an error that you cannot find the certificate: Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target – Javier Nov 25 '19 at 16:44

score 0 · Answer 2 · answered Nov 26 '19 at 09:56

Javier, I was able to build the SSLContext as below. Are you still having the issue.

 @Test
public void sslContext() {
    Class demoClass = Demo.class;
    InputStream is  = demoClass.getResourceAsStream("/test.cert");
    try {
        CertificateFactory cf = CertificateFactory.getInstance("X.509");
        X509Certificate caCert = (X509Certificate) cf.generateCertificate(is);
        TrustManagerFactory tmf = TrustManagerFactory
                .getInstance(TrustManagerFactory.getDefaultAlgorithm());
        KeyStore ks = KeyStore.getInstance(KeyStore.getDefaultType());
        ks.load(null); // You don't need the KeyStore instance to come from a file.
        ks.setCertificateEntry("caCert", caCert);
        tmf.init(ks);
        SSLContext sslContext = SSLContext.getInstance("TLS");
        sslContext.init(null, tmf.getTrustManagers(), null);
    } catch (CertificateException | NoSuchAlgorithmException | KeyStoreException | IOException | KeyManagementException e) {
        e.printStackTrace();
    }
}

Authentication between netflix-zuul and microservice with certificates

2 Answers2